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. (54) System and method (or providing anonymous personalized browsing in a network 



(57) For use with a network having server sites ca- 
pable of being browsed by users based on identifiers 
received into the sen/er sites and personal to the users, 
alternative proxy systems lor providing substitute iden- 
tifiers to the sender sites that allow the users to browse 
the sen/er sites arx>nyniousiy via the proxy system. A 
central proxy system includes computer-executable 
routines that process site-specific sulDstitute identifiers 
construcied from data specific to the users, that trans- 
mfts the substitute identifiers to the server sites, that re* 



transmits browsing commands received from tfte users 
lo the sender sites, and that removes portions of the 
browsing commands that would ideniify liie users to the 
server sites. The foregoing functionality is performed 
consislently by the central proxy system during subse- 
quent visits to a given server sile as the same site spe- 
cific substitute identifiers are reused. Consistent use of 
the site specific sut^titute identifiers enables the server 
site to recognize a returning user and, possibly provide 
persor^lized senrice. 
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Description 

TECHNICAL HELD OF THE INVENTION 

The present invention is directed, in gene ral, to net- s 
works and. more specifically. 1o a system and method 
that allows a user to browse personalized server re- 
sources on a nslwof k anonymously. 

BACKGROUND OF THE INVEWTION iO 

The Internet is a well-known oolleclion of networks 
{e.g., public and private data communicatbn and multi- 
media networks) that work together (cooperate) using 
comrrton protocols to form a world wide network of net- 
works. 

In recent years, the ava ilabilily of nnore efficient, re- 
liable and cost-effective computers artd networking 
tools have allowed many companies and individuals 
(collectively, •users') to tsecome involved in an ever so 
growing electronic marketplace. The immeasurable 
gains in technology experienced by the computer indus- 
try overall have allowed these users to rely on commer- 
daliy available computers, such as personal computers 
('PCS"}: to meet their information processing and corn- ^ 
rhunication needs. To that end. PC manutacturers equip 
most PCS with an interface that may bo used for com ' 
municaiion over networks, such as the Internet 

The Internet continues to increase iis position as an 
integral place lor businesses that offers information and 30 
services to potential customers. Popular examples o1 
such businesses are news providers [e.g., www.cnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.w6j.com (the Wall Street Jour- 
nal), www.1t.com (Financial Times Magazine), www. 35 
businessweek.com (Business Week Magazine)); car 
manufacturers {e.g., www. ford. conVus (the Ford Motor 
Company), www.gm.com (the General Motor Compa- 
ny). www.toyota.com (the Toyota Motor Company)): 
book stores (9.g.. www.ama20n.com (Amazon.com ^ 
books)): software providers {e.g., www.microsoft.com 
(the Mk:rosoli software conrpany)) and many more. 

Most olten, such a bushess sets up a home page 
onJhe Worid WkJe Web (a 'web-site," the World wide 
Web is a logical overlay of the Internet). The web-site <^ 
constitutes an electronically-addressable k>cation that 
may be used lor promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers {e.g., NETSCAPE NAVIGATOR®, MICRO- 
SOFT EXPLORER®, etc.) to access the informalion ot- so 
fared on those web-sites. 

An increasing number of web sites offei personal- 
ized services that may include "personalized web pag- 
es' customized to a user's interests, with hyper-links (a 
reference or link from some point in one hypertext doc- 55 
ument to some point in another document or another 
place in the same document - often displayed in some 
distinguishing way {e.g.. in a different color, font or 



style)) and displayed messages taiored according to 
Ihe user's prelerences. Such preferences can be ascer- 
tained by having a user establish an account with that 
web-siie. Ths allows the web-srte to store information 
about the user's previous visits, either by tracking the 
hypei-links the user followed or through explicit dialogs 
with the user. For example, the Wall Street Journal pro- 
vides a/perscnalizad journal' to each user, where the 
sequence and selection of sections is customized. In or- 
der to open an account, the user typk:alty has to com* 
plete a form electronicatlyi providng a user riame. a 
password, an electronic-mail ('^nrtair) address, etc. 
The latter is often used by the web^site to send back 
informatbn not provided on the web-site itself to the us- 
er. 

Given the inherent tack of privacy ol electronic com- 
miinicatbn over the Internet generally, and. particularly, 
the Workj Wide Web, ft has long been felt that a system 
tt^t could ensure private electronic communbation 
would be highly acN^ntageous. As an example of the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a safe and private 
(anonymous) manner, visiting sites that provide person- 
alized service: The customer woytd like to establieh ac- 
counts on web-sites without revealing his true identity, 
and without reusing the same user names, passwords, 
for multiple sites. Customers should refrain from reusing 
the same user names and passwords at multiple sites 
to avoida security breach atone site loaffect other sites: 
additknaJly, refraining Irom using such user names and 
passwords limits the ability of multiple sites from collud- 
ing to combrie customer information and buiki dossiers 
on particular customers. 

Typically, the customer visits nr^ny ot these web- 
sites, and inventing and remembering new user names 
and passwords for each wet>site becomes tedious. 
Moreover, many of these web-sites require the custonn- 
er to include his e-mail address with his user name and 
password - by providing his e-mail address, the cus- 
tomer reveals Ne identity. 

In addition, the re are commercial products available 
that alk}w web-sites to track their clients and visitors. 
Such tracking can be nnade even when no voluntary in- 
formation is provkied by the user and no form is filled 
out. Examples of such systems are 'Webreporter." 
which is available from OPENJMARKET, INC., and 
"SileTrack.- which is available Irom GROUP CORTEX, 
whose advenisenrent reads as follows: 

'Identify who is visiting your site. Record the actual . 
number of people lhat visit. Find which links they follow 
and trace their complete path. Learn which site users 
came from and which site they depart to...' 
These products are made possible because the hyper- 
text transport protocol (■HTTP -protocol "), on v/hich the 
World Wide Web is largely teased, allows specific tntor- 
nnatton to flow back from the user to the web-site. This 
can include for example, the usei*s e-mai) address, the 
last web-site he came from, and tnfornnation about the 
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us9r*s€oUware and host-computer Othor pertinont user 
information may be. &ent by the web-site 1o the user 
browser using what are commonly referred to as "cook- 
ies* (pieces of irifonmatbn that web-siies may store at 
the user's browser). On subsequent visits to the web- 
site, the user's browser sends back information to Ihe 
web-site without the user's knowledge. 

From the foragoirig, it is apparent that what is need- 
ed in the art is a scheme that provides anonyr^ous per- 
sonalized web browsing that satisfies two seemingly 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

To address the above-discussed deficiencies ol the 
prior ad, the present invention introduces a proxy sys- 
tem that performs two basic functions: (1) automatic 
substitution of user-specific identifiers such that server 
sites {e.g., web sites, junctbn points, intelligent portal 
devicee, routers, network eervers; etc.) within a nehvork 
are prevented Irom determining the true identity of Ihe 
user browsing (accessing, locating, retrieving, reading, 
contacting, etc.) the sites; and (2) automatic stripping of 
any other information associated with browsing com- 
mands that would allow the sen/er sites to determine the 
true identity of the user browsing the server sites. An 
important aspect of the present invention is that Ihe fore- 
going functions are perfonmed consistently by the proxy 
systiam during subsequent visits to the server site (the 
same substitute identifiers are used oi^ repeat visits to 
the server site: the sen/er site also cannot distinguish 
between information supplied by the user arKf the proxy 
system, thus the proxy system is transparent to the sery- . 
er site). The present invent bn therefore rxjt only intro- 
duces anonymous browsing, but also persona li2ation 
based upon the consistent use of substitute identifiers. 

It should be noted that the term true,' as used here- 
in, means accurate, actual, authentic, at least partially 
correct, genuine, real or the like, the term 'or, ' as used 
herein, is inclusive, meaning and/or; and the phrase "as- 
sociated with' and derivatives thereof, as used herein, 
may mean to include whhin, interconnect with, contain, 
be contained within, connect to or with, couple to or with, 
be communicable with, juxtapose, cooperate with, inter- 
leave, be a property of. be bound to or with, have, have 
a property of, or the like. 

As is described in greater detail hereinbelow. the 
priryHples of the present invention address the cortTlict- 
ing objectives of user privacy and user identification de- 
scribed hereinatxTve by providing a proxy system, a pe- 
ripheral proxy system, and a method of providing sub- 
stitute identifiers to a server site that allow users to 
Ixowse the same anonymously via the proxy system. 

\t\ one embodimeni, the present Invention provides, 
for use with a network having server sites capable of 
being browsed by users based on identifiers received 
into the server sites and personal to the users, a central 



proxy system for providing substitute klentifiers to the 
sen^r sites that allow the users to browse the server 
sites anonynnously via the central proxy system. Accord- 
ing to varbus embodiments of the present invention, the 

5 substitute dentifiers may be suitably constructed by the 
user she or a routine associated with the central site (ad- 
vantageous ways (functions) of constructing the substi- 
tute identifiers are described hereir^after). The exempla- 
ry central proxy system includes: (1) a computer-exe- 

^0 cutable first rouihe that processes (receives, accepts, 
obtains^ constructs, produces, etc.) site -specific substi- 
tute identifiers constructed from data specify to the us- 
ers. (2) a computer-executable second routine that 
lrar)smits the subst ituts identifiers to the server sites and 
thereafter retransmits birowaing commands received 
Irom the users to the server sites and (3) a computer* 
executable third routine that removes (and possibly sub- 
stitutes) portions of the browsing comrnands that woukJ 
identify the users to the server sites. "Include* and de* 

20 rivatiyes thereof, as used herein, means inclusion with- 
out limitation. 

In one embodiment, the first of the two above-enu- 
merated basic functions is performed external to the 
central proxy system, while in another it is performed. 

^5 at least in part, within the central proxy system The cen- 
tra I proxy system processes andfonivardsthe substitute 
identifiers as appropriate and directly performs the sec- 
ond of the above-enumerated basic functions by strip- 
ping other Information thai would tend to identify the us- 

30 ers. An Internet Access Provider (1 S P'). such as NET- 
COM®, or a networking service, such as AM ERICA ON- 
LINE® or COMPUSERVES) can advantageously em- 
ploy the central proxy system to provkje anonymous re- 
transmission of browsing commands by their users. 

^ It is important to understand that subsequent use of 
the proxy system by a "same* user to a 'same' server 
site will cause the proxy system to construct (directly or 
indirectly) and use the same (site-specific) substitute 
klantifiers. Typically, the proxy system functions as a 

^ conduit communicating messages between the user 
and the senrer. Depending upon the embodimeni. the 
proxy system may remove or substitute some portion of 
messages communicated by the user to the sender to 
ensure anonymity. 

An alternative advantageous embodiment of the 
present invention may be provided in the form o1 a pe- 
ripheral proxy system designed for use with a network 
havrg a sen/er site capable of being browsed by users 
based on identifiers received into the sen/er site and 

so personal to the users. The peripheral proxy system in- 
cludes: (1 ) a computer-executable first routine that con- 
structs a part'cular substitute identifier from data re- 
ceived from a particular user and (2) a computer-exe- 
cutable second routine that transmits the particular sub- 

55 stitute Identifier to the central proxy system, the central 
proxy system retransmitting the particular eubstitute 
identifier to the server site and thereafter retransmitting 
browsing commands received from the particular user 
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tolhdsorver site. According tothts ambodimGnt. tho first 
routine may be associated, at least in part, with the user 
site, which distributes the basic functions of the present 
invention over nnultiptd compuier systems. 

The foregoing has outlined, rather broadly, pre- s 
f erred and alternative features of the present invention 
so thai those sidlled in ihe art may better understand the 
detailed descriplion of the Invention that follows. Addi- 
tional features o1 the invention will be described herein- 
after thai form the subject of the claims ol the inveniion. fO 
Those skilled in the art should appreciate thiat they can 
readily use the disclosed conception and specific em- 
bcdimehi as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. is 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
inveritton. reference is how made to the following de- 20 
scriptions taken in conjunction with the acconripanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 illustrates a high-level block diagram of ^ 
an exemplary distributed network with whfch the 
principles of the present invention may be suitably 
usedtopnovide eilheracentralora peripheral proxy 
systemforallowing users to provide substitute iden- 
tifiers to sender sites of a network to browse anon- 30 
ymously. 

RGURE 2 Illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a central proxy system that hcludes 
each of a user site, a central proxy system and a 35 
plurality of illustrative server sites according to the 
principles of the present invention; 
FIGURE d Illustrates an exemplary full screen win- 
dow of a proxy system according to the principles 
of the present invention; . 40 
FIGURE 4 illustrates an exemplary full screen win- 
dow of an interlace ol a particular sen/er site ac- 
cording to the principles ot the present invention: 
FIGURE S illustrates a block diagram of an exem- 
. plarysub-networkol the distributed network ol FIG- <s 
URE 1 showing a peripheral proxy system that in- 
cludes each of a user site, a central proxy system 
and a plurality of il lust rati ve server sile according to 
the principles ot the present invention; arxJ 
FIGURE 6 illustrates a block diagram of an exem- «> 
plary sub-network ol the distributed networli ol FIG- 
URE i Including each of a user site, a central proxy 
system and a plurality of illustrative sender sites ac> 
cordirig to an exemplary marker proxy embodiment 
ot the present Invention. ss 



DETAILED DESCRIPTION 

Referring initially to FIGURE 1 illustrated is a high- 
level bkx:k diagram of an exemplary distributed network 
(generally designated 100) with which the principles of 
the present invention may be suitably iised to provide 
either a central or a peripheral proxy system. Distributed 
netvtrork 100 illustratively includes a plurality of compu- 
ter sites 105 to 110 that are iltustrativeiy associated by 
Internet 115. internet 115 Includes the World Wide Web« 
which is not a network ftsell, but rather an "abstractkm" 
maintained on top ol Internet 115 by a combination of 
browsers, server sites, HTML pages and the like. 

According to the illustratsd embodiment, either 
proxy system provkies substitute identifiers to one or 
more of a plurality of server sites 110 of network 100. 
The substitute identifiers allow user sites (and, hence,, 
users (not shown)) to browse the server sites anony- 
rnbusly via the proxy system. Consistent use of the 
same (site-specific) substitute identifiers at a partcular 
server site persona Ii2es browsing. For purposes of illus> 
lralk)n. site 105a is assumed throughout this document 
10 be a user site, site 11Qa is assumed to be a central 
proxy site, and site llOg is assumed to be a sen/er site. 

Those of skill in the pertinent art will understand that 
FIGURE 1 1s illustrative only. In other configuratbns, any 
ot sites 105 to 110 may be a user, a central proxy or a 
server site, or acombinatidnof at leastlwoof the same. 
"Sen/er site,' as the term is used herein, is construed 
broadly, and liriiay include any site capable of being 
browsed. 

Although the illustrated embodimem is suitably Im- 
plemented for and used over Internet 1 1 5, the principles 
and broad scope of the present invention rr^y be asso- 
ciated with any appropriately arranged computer, com- 
munications, multimedia or other network, whether 
wired or wireless, that has server sites capable of being 
browsed by. users based on identifiers received into the . 
server sites and that are personal to the users. Funher. 
though the princples ol the present invention are illus- 
I rated using a single user site 105a, a single central 
proxy site llOa and a single server site nOg, alternate 
embodiments within the scope of the same may include 
a plurality of user, central proxy or server sites. 

Exemplary network 1 00 is assumed to include a plu- 
rality of insecure communication channels that operate 
to intercoupie ones of the varous sites 105 to 110 of 
network 100. The concept of communicatkxi channels 
is known and allows insecure communication of intor- 
mation among ones of the hlercoupled sites (the Inter- 
net employs conventional communication protocols that 
are also known). Adistrbuted network ope rating system 
executes on at least sonrte of sites 105. 110 and may 
manage the insecure communication of informal ion 
iherebeiween. Distributed network operating systems 
are also known. 

According to exemplary central proxy system 11 Oa 
ot the present inventton. which Is discussed In detail with 
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relGrenco to FIGURE 2. substilute idontifiors may be 
suitabty indirectly provided by central proKy system 
110a to server she 1 lOg (recall that substitute idenliflers 
allow user site iDSa to browse server site 1lOg anony- 
moueiy). One or more site -specific substttuts identifiers 
are suitat^ly provided or constructed Irom data specific 
to user \ 05a either by user 1 OSa or central proxy system 
110a Central proxy system 1lOa includes a plurality of 
executable routines - a first routine processes site-spe> 
ciftc substitute identifiers constructed from data specinc 
to user I05a (stte-specific substitute identifiers may be 
suitably constructed by a central proxy site iiOa, such 
as by a routine associated with central proxy system 
110a); a second routine transmits the substitute identi- 
fiers to server site 1 lOg (possibly via a pluraDty of inter- 
mediate user and senrer sites 105. 110) and thereafter 
retransmits browsing commands received from user site 
105a to server site llOg; and a third routine removes 
(and possibly substitutes) portions of the browsing com- 
rhands that would identify user site 105a to server site 
HOg (and the plurality of intermediate user and server 
sites 105/110). The term Vouline," as used herein, is 
construed broadV to not only include conventional 
meanings such as program, procedure, object, task, 
subroutine: function^ algorithm, instruction set and the 
like, but also sequences o1 instructions, as weD as func- 
tionally equivalent firmware and hardware implementa- . 
lions. 

Altemaiively. according to an exemplary peripheral 
proxy system (generally designated 120) of the present 
invention, which is discussed in detail vyith reference to 
RGURE 5. that is designed for use with network 100 
again having a server site 11 Og capable of being 
browsed by a user site 105a based on eubstilute iden- 
tifiers received into senrer site 11 Og and that are per- 
sonal to user site 105a Exemplary peripheral proxy sys- 
tem 120 includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, alternatively, in central proxy system 
110a, constructs a particular cubstitute identifier from 
tibata particular to user site 105a The second routine, 
which may also advantageously reside in user site I05a 
or, partially, in user site 105a and central proxy system 
110a, iransnrvtsthe penicular substitute identifier to cen- 
tral proxy system 110a. Central proxy system 110a then 
retransmits the particular substitute identifier to sender 
site 110g and thereafter communicates (e.^.. transmits, 
receives, etc.) information {e.g., browsing commands, 
data, etc.) between user site 105a to server site llOg. 

According to the illustrated ennbodimsnt, peripheral 
proxy system I20differs from central proxy system 11 6a 
by the location of execution of the firsi and second rou- 
tines. In the illustrated central proxy embodiment, all 
routines are executed by central proxy system 110a, 
which means that all users must send user specific in- 
formation to central proxy system 110a. In the illustrated 
peripheral proxy system 120, the first and second rou- 
tines may be executed in a proxy subsystem associated 



with user site 105a. In one advantageous embodiment, 
user system 1 0Sa's user specific tnfonmation (e.g.. user 
identification, passwords, e-mail addiesses, telephone 
numbers, credit card numbeis. postal address, etc.) ra- 
^ main focal, which will typically be more secure than cen- 
tral proxy system 1 1 0a. 

As set forth hereinabove, an ISP. such as NET- 
COf^, or a networ king service, such as Af^ERICA ON- 
LINE® or COMPUSERVE®, can advantageously em- 
ploy either exemplary prc»(y system (oemral or periph- 
eral) to provide anonymous communication (transmis- 
sion, reception, retransmission, etc) of browsing {e.g., 
accessing, selection, reading, etc.) commands between 
user sites and server sites. 

An important aspect of the above-identified embod- 
iments is the use of site-specific substilute identifierB to 
ellrninate the need for a user to have to Invent" a new. 
user name and password for each server site which re- 
quires the establishment of an account {e.g., the NEW 
YORK TIMES, the WALL STREET JOURNAL, the 
NEWSPAGE6) and ESPNCH) sites). The illustrated enr^ 
bodiment generates secure substitute identifiers [e.g., 
afias user names. passMords. enrnail acidresses, postal 
addresses, credit card numbers, etc.) that are d'istir)ct 
and secure for the user. The user provides one or more 
character strings (which may be random) once, which 
may advantageously be at the beginning of a proxy sys- 
tem session. The proxy syiitem uses the same to gen- 
erate one or more secure site*specific substitute identi- 
fiers fa the useir - thereby freeing the user from the bur- 
den of inventing new and unique ident^iers for each 
server site. Moreover, the user no longer has to type 
such secure identifiers every time the user returns to a 
particular server site requiring an account: instead the 
proxy system provides the appropriate secure identifiers 
automaticalty. In an advantageous embodiment to be 
described, the proxy system fitters other identifying in- 
formation (e.g., HTTP headers, etc.) sent by usei" site 
1 05a while browsing server sites. It is important to keep 
in mind that server sites cannot typically distinguish be- 
tween informatbn supplied by proxy system 110a and 
information supplied by user sfte I05a - central, pnoocy 
system 1 1 0a being transparent to carver sites. 

In one embodiment, the suksstltute identifiers are 
transmitted on demand from servers, without any inter- 
vention from the user This process autorhates the re- 
sponse to a 'basic authentication request.* which is a 
common procedure used by servers to identify users on 
the World Wide Web. In this way, the user Is not bur- 
dened by this activity. 

According to the illustrated embodiment, to produce 
substilute identifiers (he proxy system may suitably 
maintain secret information (secret to at least one serv- 
er-site) in the form ctf user definable character strings. 
These character strings may be user defined and may 
be maintained in some conventional nnanner such as 
storing the same to memory associated with the proxy 
system, or. advantageously, a function (described here- 
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inafter) may bo used to produce the sut)stitute identifi- 
ers, at least in part, in a&eociation with the secret infor- 
mation. According to one approach, the prcocy system 
maintains a conventional data structure to malniain the 
same, such as a database, data repository, an array, 
etc., or even an atias table, that may be used to map 
user information to their substitute, or alias, identifiers. 

According 1o one advantageous embodiment, the 
user delivers its own secret (user definable character 
string) ai the beginning of each session, which is used 
by the proxy system to gerierale. directly or indiiectty. 
the substitute idsntlfiersfor the session. This, option has 
the advantage that a user has the ftexibilliy to choose 
different proxies at different times and there is no per- 
manent secret information stored on the proxy system. 
In another related embodiment, the data comprises at 
least two secret user def inable character strings, where- 
in the first routine processes eubetitute identifiers con- 
structed in part from the at least two secret user defin- 
able character strings. Of course, alternate suitable ap- 
proaches may be used to accomplish the purpose of 
providing anonymous personalized web browshg ac- 
cording to the present invention. 

Turning now to FIGURE 2, illustrated is a block di- 
agram of an exennplary sub-network (generally desig- . 
naied 200) ol disifibined network 100. wherein sub-net- 
work 200 includes ueorsite 105a, central proxy system 
110a and server site llOg (shown among a plurality of 
Other illustrative server sites 11 0 of Internet 11 5) docord- 
ing to the principles ol the present invention. 

For purposes of illustratbn, assume that user site 
105a issues a commarid to access sender site 1 1 0g (the 
NEW YORK TRIBUNE web-site ("NIYT")). Such access 
would be via central proxy system (server site) 11 Qa. 
which ensures that user specific data concerning user 
site 105a is not communicated over the remainder of 
Internet 115 - there nrtay be HTTP header fields, for ex- 
ample, that include data about user she 1 05a that cen- 
tral proxy system 110a fitters. 

Exemplary central proxy system 110a advanta- 
geously executes on a server site that is not associable 
with user site i05a by other sites over Internet 115. Ac- 
cording to an advantageous embodiment, central proxy 
system 110a may be suitably distant, both physically 
and logically, from user site 105a - user site 105a does 
not access server-shes directly because the server- 
sites can determine both physically and logically the In- 
ternet Protocol ('IP") " address of the machine that 
made the request 

According to the exemplary embodiment, if user site 
l05a's command to access NYT 1l0g is user site l05a's 
first request of the current session, central proxy system 
110a recogni2e the same, and display its own 
HTML-document, possibly on user sile.lOSa's browser. 

Tiirnlng momentarily to FIGURE 3. illustrated Is an 
exemplary full screen window of a conventional browser 
300 ('NETSCAPE®") displaying an inlaid interface 305 
('JANUS^^') of centralproxy system llOa according to 



the prtriciples of the present invention; fxemplary inter- 
face 305 prompts a user of site 105a to enter user de- 
finable character strings, which according to the illus- 
trated embodiment includes identification (MD") data 
s and secret ("S*) data supplied by the user. Each user 
initially supplies a user 10 {e.g., e-mail address) and a 
user 5 to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi- 
ers are suitably constructed from data specific to user 
I05a and a particular server site which user 105a in- 
tends lobrowse). AltematK/ely. other or further data sup- 
plied by the user may be appropriate in sonrie applica- 
ik)ns (e.g. . credit card number, poet office address, han- 
dle, etc.). 

According to the advantageous embodiment, sub- 
stitute identifiers may be constructed (generated) using 
a sutable fundionthat includes the features ol anonym- 
ity, consistency, oolltsion resistance and unK|ueness, 
protection from creation of dossiers, and single secret 
and acceptability. Concerning anonymity, the identity of 
the user should be kept secret; that is, a server site, or 
a coQlition of sites, cannot determine the true identity of 
the user from its substitute identification. Concerning 
consistency, lor each server-site, each user should be 
provided with some substitute identiTiers allowing the 
sen/er site to recognize the user given the same, there- 
by enabling the server site to pereor^lize the user's ac- 
cess and the user can thus be 'registered* at the server 
site. 

With respect to coOiskxi resistance and unique- 
ness, given a user's identity and a server site; a third 
party should not find a different user identity v^ich re- 
sults in the same alias (impersonation) for that server 
site. As to protection from creation of dossiers, the user 
is likely to be assigned a distinct alias (substitute iden- 
tifier) for distinct server sites, so that a coaliitori of sites 
is unable to leam a user's habits and build a user profile 
(dossier) based on the set of sites accessed by the user. 
Lastly, single secret (user definable character string) 
and acceptability prbvidee. given the user's identity and 
a single secret, automatic generation of secure, distinct 
aliases (substitute identifier) as needed for each sender- 
site, transparent to the user - from the user's perspec- 
tive, the user definable character string is equivalent to 
a universal password for a collection of server-sites. 

Accordir>gtothis embodiment, a user 10 is "corrupt" 
(not secret) if an adversary (one or more server sites 
desirous of identifying the user). E.. has been able to 
read the user's secret. S. Alternatively, a user ID k 'par- 
tially opened' (not fully secure) with respect to a partic- 
ular server site, iv. if f has been able to read the alias 
password; a user ID is 'opened" (not secure) with re- 
spect to w, if it is panialiy opened and E has been able 
to relate the alias password together with the alias user 
name to the user 10. Assuming that the tunctlon, T(), is 
defined as follows, Tluser ID, web-site ('ia^), S) = f sub- 
stitute username, passwords/, hence, T(id, nr, S) = (IM 
Pw): and Tu(i(i,w.$) =: UwBr\&Tp(id,w,S) = Pw. 
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Tu (US, w, S) = Uw= h(enc(k,id, f($j,w))} 

and 

wherein 

id denotQfi ufie.r site 1 0Sa's ID (9.g., d-mail 

address); 

Yf denotes server site llOg's domain 

name; 

// denotee the logical funcllon of concate- 

rialion: 

5 denotes k//s//s^ a user site 1Q5a defin- 

able character string; 

xof denotes the Boolean funclbn of exclu- 

sive or/ 

f(Kx) denotes a suitably arranged function for 

generating pseudo-random values, and 
may be selected fronn a group or func- 
. tione, euch ae des(k,h(x),x): 

enc(kxO 6er\o\es r//(f(k,r)xor x); 

h() denotes a collislon>resi^ant hash func- 

tion, such as MD5; and 

des(k,hx) denotes DES encryptbn in cipher block 
chaining CCBC"! mode, which are 
known, of triformation x using key lirand 
an initialization vector L . 
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Both Tu() and TpQ niay suitably truncate the result o1 
the hashing function, h(), to tit the longest altawed user 
name or password for the particular server site. os 

Retaiing this function, T(y to the above-identified 
and described tealuree yields the folk>wing: 

1. E can or^y guess ai ihe identity. ID, of a user 
which is only partially opened and uncorrupted, ^ 

2. T() is a deterministic functk>n and B can only 
guess at the alias-password of a user which is un- 
opened and uncorrupted. 

3. Given lyandan uncornjpted and unopened user 

ID. f can only guess at the ID and S. ^ 

4. For an uncorrupted user ID and w, T(id,w,S)6oQS 
not give to E infom^ation about 7fic(iv*S^farany v/ 
not equal to ^. . . 

5. The range of T(id, w,S) is such that it is accepted 

by sen/er sites as a valid username and password so 
» implying a limited length string of printable char- 
acters. 

Those skilled in the pertinent art will understand that al- 
ternate suitable functions may replace or be used In as- 55 
sociation with the foregoing adDordir>g to the principles 
of the present invention. 

Use of the foregoing exemplary substitute tdeniifier 



constructing function, and for that nnatter, any other suit- 
ably a nranged function for constructing substitute iden- 
tifiers according to the present invention: operates to 
foster the above-identified features of anonymyzed and 
persortaiized browsing. The present invention provties 
the ability to anonymously visit a sen/er site a first time 
via site-specific sut>s[hute identifiers, to Interact with the 
server site as a function thereof, and to re-vish the serv- 
er site on subsequent occasions using the same site- 
specific substitute identifiers, hteracting with the server 
site as a return customer possibly receiving person- 
alized attention - as a function of the recognized sub- . 
stitute identifiers. Sirrply stated the substitute identifi- 
ers are constructed consistently and in advantageous 
embodinr^nts in a site-specific manner. 

\t\ one embodiment of the present invention, the 
substitute ktentifiers include stte-6pecifc5ul3stitute user 
names and site-specific substitute user passwords. 
•Site-specific' means that the names and passwords 
vary from site to site, depending perhaps upon the ad- 
dress ot each site. This may complicate the task of cre- 
ating a dossier relative to a given user. In a related em- 
bodiment, the first routine constructs site-specific sub- 
stitute e-mail addreeses lor user site l05a from the site- 
specific data. In an alternate advantageous embodi- 
ment, the first routine constructs the site-specific sub- 
stitute identifiers from addresses of the server sites - of 
course, site-specific inforrrialion othisr than the address 
of the site rnay be used to construct the substitute iden- 
tifiers. 

If this is the first contact ot the user with central 
proxy system 11 Oa. then the user may suitably generate 
a user defined character string (secret) at random and 
store the same locally. In one advantageous embodi- 
ment, the first routine processes substitute identifiers 
thai may be constructed by applying pseudo-random 
and hash functbns {e.g., T() functbn set forth herein- 
above) to the data received from user site 1 05a - friose . 
skilled h the ad are familiar with the structure and op- 
eration of peeudo -random and hash functions and their 
utility. The important aspect of this and related embod- 
iments is that the present invention Is adapted to taka 
advantage of current and later-discovered furYCtions to 
enhance anonymity and security 

Alternatively if this is the first contact of a current 
session then the user may suitably enclose the stored 
user defined character string to central proxy system 
11 Oa. Nonetheless, browser 300 sends interface 305 to- 
gether with a user's ID and other user definable charac- 
ter string to central proxy system 110a. Central proxy 
system 1 1 0a receives this information and may use the 
same for the rest of the session 

In one advantageous embodiment, the first routine 
receives or generates session tags that a re added to the 
browsing oomnnands. central proxy site iiOa employing 
the sessbn tags to associate the sut>6titute kilentifierB 
with each of the browsing commands - the session 
lags, while not necessary to the present invention, pro- 
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vide one manner that allows user sites 105a to supply 
llieir data only once, usually at the beginning of each 
session. In a related advantageous embodinnent, cen- 
tral proxy site 110a includes a data store that is capable 
of containing session information specific to user sites ^ 
lOSa and accessible by server sites 11 Og. 

In one advantageous embodiment, the second rou- 
tine desciibed above, which may be local to the central 
proxy system 110a. transmits the substitute identifiers 
to sender site 1 1 0g. In a further advantageous embodi- fO 
ment. the second routine transmits the substitute iden- 
tifiers to server site 1 10g based on aiphanurneric codes 
supplied in fields of web-pages 305 kjy the users. The 
alphanumeric codes prompt the second routine as to 
how and where to locate the substitute identifiers, re- 
moving the users from actually having to provide the 
substitute identifiers directly. Of course, the alphanu> 
merit oodes may be supplied in a diflerent form. In a 
relaled, rirxxe specific embocfimeni, the users manually 
place the alphanumeric codes in the fields of web-pages 
305. Of course, the present invention encompaseae In- 
telligent parsing of the fields of web pages 305 to deter- 
mine automatically how and where the alplianumeric 
codes should be located. Those skilled in the art are fa- 
miliar with the Internet in general the World Wide Web 
in panicular and the way in which the siaicture of the 
World Wide Web promotes 'browsing." The present in- . 
vention finds apparent utility in conjunction with the In- 
ternet and the World Wide Web. however, those skilled 
in the art win readily understand that the present inven- 
tion has advantageous applicaibn outside of the Inter- 
net as well in any suitably arranged computer, commu- 
nications, multimedia or like netwofl^ configuration. 

Nonetheless, after central proxy system 110a ob- 
tains the required information at)out the user, the above- 
described third routine removes ponions of the browsing 
commands that would identify user site lOSa to server 
site llOg, and forwards user site l05a's original request 
for access to NYT-siie nOg (e g , using an HTTP get- 
request) thereby selectively excluding from the re- ^0 
quest header-fields or the like that may identity the user. 

If this i$ the user's first visit to NYT-she 1 lOg. then 
it may suitably provide the user with an electronic form 
prompting, for example, for a user name, a password 
and an e-mail address in order to establish an account. 
Turning momentarily to FIGURE 4, illustrated is exem- 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an inlaid interlace 400 ("THE 
NEW YORK TRIBUNE*) Of senrer site 11 Og according 
to the prcnciplee of the present invention. so 

Now, instead of having to provide a unique user 
name and a secret password, the user may suitably pro- 
vide these fields with simple escape strings (B.g., 'kuv- 
uu>''and'<pppp>'). N^orespecificalfy: the alphanumeric 
codes above-described may be suitably arranged Into 55 
such escape sequences - those skilled in the art are 
fanruliar with escape sequences. These strings are rec- 
ognized by central proxy site il0a which uses user site 



105a's user name and secret {user definable character 
string) along with the donrein name of the NEW YORK 
TRBUNE and computes substitute identifiers (e,g„ ali- 
as user name, u3, and alias password. p3, in FIGURE 
2. etc.), such as by function T(IO, SGcrot, cfowa'm-namQ). 
The site-specific substitute identifiers nriay be sent to a 
particular sen/er site by central proxy system nOa using 
the sarne mechanism lhal the user would submit input 
totheparticular sender site. In other words, proxy system 
110a receives information coflnmunications. such as 
browsing commands, from user site 1 05a intended for 
sen/er site 11 Og, and retransmits the same to server site 
1 10g - central proxy system 1 1 0a lunciioning as a trans- 
patent coTKtuit for anonymizing and, through consistent 
generation of she-specific substitute identifiers, person- 
alizing sen/er site browsing. 

On a subsequent visit lo NYT-site llOg, which will 
require that user site I05a authenticate itself (response 
to the first get-request forwarded to NYT-site 1lOg by 
central proxy system 110a). central proxy systerh 110a 
may be suitably operative to autonnatically recompute 
u3and pd and reply by sending these values t>ack to 
NYT-site 11 Og (re-sending the gel-request). User site 
lOSa is thereby freed from the burden of remembering 
the user name arid password of its NYT-site 1l0g ac- 
count. To summarize, the protocol, which may be suitia- 
bly executed without involving user site I05a, includes: 
O)astepof NYT-siteservcr 110g requesting an authen- 
ticatton frorrt central proxy site 110a by failing the first 
get request; (2) central proxy site 110a reconputing the 
substitute identifiers (e.g., (alias- user name, alias-pass- 
word) = T(ID. secml domain-namel or the tike); (3) cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 

. The substitute identifiers are consistent in the sense 
ihat the substitute identifiers are presented oh subse- 
quent visits to the same senrer site by user lOSa. Con- 
sistent substitute identifiers allow server sites to recog- 
nize returning users and provide personalized service 
to them. In one embodiment, the second routine trans- 
mits the substitute identifiers on demand from servers; 
without any intenrention from user I05a. This process 
autonnates the response lo a 'l^asic authentication re- 
quest," which is a common procedure used by servers 
lo identify users I05a on the World Wide Web. In this 
way, user 105a is not burdened by this activity, in this 
embodiment, the second routine may have to re -trans- 
mit the original user request along with the substitute 
Identifier to the server. 

It should be noted thai many servers require a valid 
©-mail address for creating an account •- users cannot 
use their true e-mail address for this purpose since it 
uniquely identifies them. The proxy system of the 
present invention may suitably solve this problem by 
creating an alias e-maii address for user site I05a and 
store e-mail in an electronic mailbox. In one adi^anta- 
geous embodiment, central proxy system 110a includes 
8 data store capable of containing e-mail destined lor 
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the users, thereby preventing server sites from contact- 
ing users directly. Contrary to prior art anonyrrK>us re- 
mailers, the present embodiment is not required to rely 
on having to store any translation tables <which may be 
large and vulnerable) from alias to true user identifiers 
In central proxy system 110a. This embodimerit is inher- 
ently securer than prior art approaches as central proxy 
eyelem 110a is not required to maintain and protect a 
translatbn table and cannot be forced to reveal the con- 
tents of any such table to a ihird party. 

In an alternate advantageous embodiment, central 
proxy system 1 05a further includes a data store capable 
of containing e-mailboxes for the users and specific lo 
the server sites. According lothis embodiment, each us- 
er has a maDbox for each site that has generated mail 
destined for the user. Rather than oomptomising &ecu> 
rrty by allotAring automatic remailing to the user, the 
present embodiment may store e-mail for explicit re- 
trieval by each user. 

For each server, it may be advantageous for users 
to have a separate &~ma\\ box, possibly identified by us- 
er-substitute identifiers. This approach may albw for 
suitable disposal ol ^-maU messages received trom the 
third-parties (e.g., *junk e-mail') as well as the option of 
selective disposal of e-mail messages. 

In one advantageotjs embodiment, each oi e-mail- 
boxes has a key associated therewith, the key being a 
function of the data and an index number The use ol 
keys with e-mailboxes is known. In another advanta- 
geous embodiment, central proxy system 110a further 
comprises a computer-executable routine thai, given 
the substitute identifiers, collects e-mail destined for the 
users and contained within a plurality of site-specifc e- 
mailboxee. This embodin^ent may suitably employ a 
mail -collecting routine that automatically locates user 
site lO&a's various mailboxes and retrieves the mail 
therefrom once the user has supplied the appropriate 
d^a. 

According to one advantageous embodiment, cen- 
tral proxy system 1 10a includes functionality necessary 
to support electronic payment, the users employ elec- 
tronic payment information to engage in anonymous 
commerce with the sen/er sites. To facilitate the same, 
central proxy system 11 Oa may include a data store ca- 
pable of containing such electronk: payment hforma- 
tion. Further, substitute identifiers may t>6 constructed, 
at least in pan, using credit/debit card numbers, bank 
branch or account numbers, postal addresses, tele- 
phone nunioers, tax identification numbers, social se- 
curity numbers or the like. Various methods for achiev- 
ing anonymous commerce are known. 

By way of funhei example, an ever increasing 
number of sites require a valid credit cand numt)er as 
part ol establishing an account, so that such sites may 
charge the user tor their sen/Ices (e.g., WALL STREET 
JOURNAL(B>. ESPN(g>. etc.). While the above <l escribed 
proxy system pirovides substitute tientifiers to free users 
from remembering these items and by providing a guard 



on (involuntary) data flowing to the wetvsite, it may not 
provide complete anonymity to a user who has provided 
a credit card numbei lo a site. One solution, described 
briefly above, requires central proxy system 11 Oa to pro- 

£ vide its own vatkl credit card number to the requesting 
site and then collect money from its users. If central 
proxy system 105a is incorporated into an Internet pro- 
vider, for example, such as AMERICA ONLINE®, then 
(his relatbnship n^ay already exist. 

^0 Alternatively, ceniral proxy system llOa may be 
known and trusted by other sites, thereby aUowing cen- 
tral proxy system 1 1 0a to generate an alias credit card 
number and expiration date, and then to authentteate 
this data and send it to a requesting site. The she can 
then check that this number indeed originates from-cen- 
tral proxy system 1 10a and hence accepts the same as 
valid, with the understanding that it can collect the mon- 
ey from central proxy system 110a. There no longer re 
a need to send a 'real' credit card number between cen* 

20 iral proxy system 1 1 0a and the sites 

It is imponani to realize that the various features 
and aspects of the embodiments above -described may 
also be suitably implemented in accordance with the pe- 
ripheral proxy system deecribed wjth reference to FIG- 

^ URE 1. More particularly, turning momentarily to FIG- 
URE 5, there is illustrated a block diagram of an exem- 
plary sub-network (gene rally designated 600) of the dis- 
tributed network ol FIGURE 1 showing a peripheral 
proxy system 1 20 that irK:ludes each of user site I05a. 

30 central proxy systeni 110a and NYT-site llOg (shown 
among a plurality ol other iOustralive server sites 110 of 
Internet 115) according to ttie principles of the present 
invention. 

Peripheral proxy system 1 20, as set forth alxDve, in- 
3$ eludes first and second executable routines. The first 
routine, which advantageously resides in usersite 1 05a, 
constructs substitute kfentifiers from data particular to 
user site I05a The second routine, which also illustra- 
tively resides in user site 1 05a, transmits the substitute 
40 identifiers to central proxy system 110a Central proxy 
system 110a then retransmits the substitute identifiers 
10 server site iiOg and thereafter communicates (e.p.. 
transmits, receives, etc.) information (e.^., browsing 
commands, data, etc.) between usersite lOSa to server 
45 site llOg. TTils second configuratton is particularly ad- 
vantageous when users nnay not trust central proxy sys- 
tem 110a or the conrvnunicatlon lines therebetween, and 
want to Keep user identifications and other secret infor- 
mation secure. 

so A kxal proxy system 51 0 may be used to maintain 
the same, and may use the user's identification and oth- 
er informal ion to compute the substitute identifiers, t-o- 
cal proxy system 510 communicates wHh a central proxy 
system llOa, which may be used lo forward communi- 

55 catton to sen/ers and handle e-nrtall. In one enribodlmeni, 
central proxy system 110a comnrujnicates with compu- 
ter-executable local routines associated with the users, 
the local routines oonstaicting the site-specifk: substi- 
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tute identifisrs from data specific to the users. Again, 
central proxy system 110a may rety on distributed rou- 
tiroes, local to each user, thai generate the substitute 
tdontifiers and tiansmii the same tocemral proxy system 
110a 

Turning now to FIGURE 6. illustrated Is a block dl- 
agram of an exemplary sub-network (generally desig- 
nated 600) of the distributed network 100 including each 
of user site 105a, central proxy system 110a and a plu- 
rality of Illustrative server slies li0b. 11 Oc, and ll0g ac- 
cording \o an exemplary marker proxy emtx?diment of 
the present invention. As described above, the central 
proxy system of the present invention may be employed 
in at least two configurations, namely, a central proxy 
configuration (riGUPE 2) or a peripheral proxy conftg- 
uralion (FIGURE 5). 

In the central proxy configuration, central proxy sys- 
tem 110a computes substitute kientifiers. An implemen- 
tation of this configuratkin may require user site iOSa to 
proykje one or wore user definable character strings (e. 
g., user ident'rfication. password and other secret infor- 
mation) once, arxl central pnoxy system 110a will there- 
after generate the substitute identifiers as needed. Cen- 
tral proxy system 1 1 0a may associate the user definable 
character strings with a series of HTTP requests gener- 
ated by the same user site 1 05a - the central proxy sys- 
tem iioa may associate each request with a sessk^n, 
that contains a II connmunication between a specific user 
site i05a and the central proxy system iiOa 

The HTTP protocol however does not generally di- 
rectly support sessions or relationsNps between re- 
quests. I^e panicularly, each HTTP request may be 
sent a new socket connection, and there is no required 
HTTP header fieti that can link successive requests 
from the same user 

It should be noted ihanhe session identification is 
typically noi necessary in the peripheral proxy configu- 
ration since central proxy system 110a nnay forward 
communications without any compijiation. In a typical 
embodiment, peripheral proxy system 1 20 retransmile 
browsing commands rece'rved from user site 105a to 
central proxy system nOa, which then retransmits such 
commands to server site 110g. According to one em- 
bodiment, peripheral proxy system 120 removes and, 
possibly, substitutes portions of the browsing com- 
mands that woukj identify user site 105a to server she 

nog. 

In one advantageous embodiment user site 105a 
runs a marker program €05 locally. Marker program 605 
operates to tag user site lOSa's requests with a session 
tag, t Central proxy system 11 Oa uses this tag to identify 
requests belonging to a particular one of a group of us- 
ers. Marker program 605 may be implemented to store 
user site l05a'6 session tag and add this tag to alt re- 
quests, and central proyy system 110a removes the ses- 
sion tag before forwarding the request to some eerver 
site. The sessk)n tag should be unique, as no two users 
should have the same tag. 



It shouU be noted that NETSCAPE® uses 'oookies, 

* which are a mechanism for storing and retrieving long 
term session inlormation (the use ol 'cookies" concep- 
tually is known). The cookies are generated by the 

s browsed servers ar>d are assoc iaied with a specilic do- 
main name. Browsers 300 submit the cookies associat- 
ed with a specific domain name whenever the user rer 
visits that dornain. Sen/ers typically only generate cook- 
ies associated with their domain. Cookies provide an 

10 easy nr^chanism to keep session inrormatkxi. such as 
the contents of a "shopping cart," account name, pass- 
word, event counters, user preferences, etc 

Some companies, use cookies extensively to track 
usisrs and their habits. Since the proxy systems of the 

IS present invention present substitute identifiers to 
browsed servers, the servers cannot learn true user 
identities. Thus all of the information that the server may 
. store in its cookie relates to some *atias persona/ and 
not to the true user. Whenever the user returns to the . 

20 same sen/er. it will present the same substitute klentifi- 
ers, and may also submit the cookie that the server gen- . 
erated earlier lor this alias persona. 

It is apparent from above, that the presam invention 
provides, for use with a network having user sites and 
sen«r sites, wherein the server sites are capable of be- 
ing browsed by the user sites based on identifiers re- 
ceived into the server sites and personal to the user 
sites, both a central and a peripheral proxy system for 
providing consistent substitute identifiers to the sender 

30 sites that allow the user sites to browse the server sites 
in an anonymous and personal fashion via the proxy, 
system. 

An exemplary central proxy system includes: (1 j an 
executable first routine that processes site-epecffic sub- 

^ stitute identifiers constructed from data specif k: to the 
user sites, (2) an executable second routine that trans- 
mits the substitute idenlifiers to the sen^r sites and 
thereafter relrarismits browsing commands received 
from the user sites to the sender sites and (3) an execut- 

^ able third routine that removes (and possibly substi- 
lutes) portions of the browsing commands that would 
kientify the user sites to the server sites. 

An exemplary peripheral proxy system includes: (1 ) 
an executable first routine that constnicis a particular 

^ substitute identifier from data received from a particular 
user site and (2) an executable second routhe that 
transmits the partk^ular substitute identifier to a central 
proxy system, the central proxy system then retransmit- 
ting the panicular substitute identiHer to the sen/er site 

so and thereafter retransmtuing browsing oommands re- 
. ceived from the particular user site to the server site. 
Although the present invention has been described 
in detail, those skilled in the art should understand that 
Iheycan make various changes, substitutions and alter- 

ss aiions herein without depanlng irom the scope of the 
im/enlion in its broadest tomr^ k/tore partk^ularly, it shouki 
be apparent to those skilled in the pertinent art that the 
above-described routines are software-based and exe- 
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cutabiB by a suitable convenlional compulei system/ 
network. Alternate embodiments of the present inven- 
tK3n may also be suitably implemenled, at least in pari. 
In firmware or hardware, or some suitable combination 
of at least two of the three. Such flrmware-or hardware s 
embodiments may include mutti, parallel and distributed 
processing envlronmenls or configurations, as well as 
alternate programmable logic devices, such as pro- 
grammable a nray logic ('PALs") and progranrmable log- 
ic arrays ("Pt-As"). digital signal processors ("DSPs"), fO 
field programmable gate arrays ("FPGAs"). applicalion 
specific integrated circuits ('ASICs'}, large scale inte- 
grated circuils (TSIs*). very large scale integrated cir* 
cuits ("VLSIs*) or the like - to form the various types of 
modules, circuitry, cQntrollerB, routines and systems de- 
scribed and claimed herein. 

Conventional computer system architectu re is more 
fully discussed in The Indispensable PC Hardware 
Book, by Hans-Peter Messmer. Addison Wesley (2nd 
ed. 1 995) and Compvier OrganizaUon and Architeckure, 20 
by William Stallings, MacMillan Publishing Co. (3id edi 
1993); corwentional computer, or comnminications, net- 
work design is more fully discussed in Daia NeiworkDe- 
9/^/1, by Darren L. Spohn, McGraw-Hill. Inc (1993); and 
convenlional dlala communications is more fully dis- 
cussed in Voice and Data Comiwnicaiions Handbook, 
by Bud Bates and Donakj Gregory. McGraw-Hill. Inc. 
(1996). DataCommunhaiions Principles,by D. Gitlin. 
J. F. Hayes and S. B. Welnsiein, Plenum Press (li992) 
an6 The in^in Handbook of Telecommunicalions, by 30 
James Hariy Green, Irwin Professional Publishing (2nd 
ed. 1992). 

Claims as 

1. A central proxy system for coupling to a network and 
for allowing users to browse server sites on said 
network anonymously via said central proxy sys- 
tem, said central proxy system. comprising: 40 

a computer-executable first routine that proc- 
esses site-specific substitute identifiers con- 
structed from data specific to said users; 
a computer-executable second routhe that 
transmits said substitute identifiers to said serv- 
er sites and thereafter retrar^smits browsing 
commands received from said users to sak^ 
server sites; and 

a computer-executable third routine that re- so 
moves portions of said browsing commands 
that would identify said users to said server 
sitee. 

2. The central proxy system as recited in Claim 1 55 
wherein said data comprises identificatbn data and 

a user definable character string supplied by said 
users. . 



3. The central proxy system as recited in Claim 1 
wherein said site-specilic substitute identifiers com- 
prise site-specific substitute user names and site- 
specific- substitute user passwords. 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-specific 
substitute electronic mail addresses for said users 
from said data. 

6. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe- 
cific substitute kjentiliers from addresses of said 
sender sites. 

6. The central proxy system as recited in Claim 1 
wherein sad server s Hes are World Wide Web sites 
capable of presenting web pages to sakj users, sakj 
second routine transmittirig said substitute kientifi- 
ers to sakj server sites urKJer directton of said useers. 

7. The central proxy system as recited in Claim 1 
wherein said second routine irar^mits said substi- 
tute identifiers to said server sites based on alpha- 
numeric codes supplied in web page fields by said 
users. 

8. The central proxy system as recited in Claim 7 
wherein sakJ alphanumeric codes are arranged in 
escape sequences. 

9. The central proxy system as recited in Claim 7 
wherein said users manually place sad atphanu- 
menc codes in said web page fields. 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communk:ates 
with computer-executable bcal ruuttnes associated 
with said users, sakj local routines constructing said 
elte-specific substitute klentifiers from data specific 
to said users. 

11. The central proxy system as recited h Claiiri 1 fur- 
ther comprising a data store capable of containing 
electronic mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein sad first routine processes substitute iden- 
tifiers constructed by applying pseudo-random and 
tia&h functions to said data received from said us- 
ers. 

13. The central proxy system as recited h Claim 1 fur- 
ther comprising a data store capable of containing 
electronic mailboxes for said users and specific to 
said server sites. 

14. The central proxy system as recited in Claim 13 
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22. The peripheral proxy system as recited in Claim 20 
wherein said particular Bubetilute identifier compris- 
es a parltcular substitute user name anda particular 
subsihute user password. 

s 

23. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs a particlilar 
substitute elect ronb maB address for said particular 
user from said data. 

w 

24. The peripheral proxy system as reched in Claim 20 
wherein said first routine constructs said particular 
substitute identifier from an address ol said server 
site, said particular substitute identifier therefore 
being specific to said server site. 

25. The peripheral proxy system as recited in Claim 20 
wherein said server site is a World Wide Web site 
capable of presenting at least one web page to said 

20 users, said central proxy system transmitting said 
particular substitute identifier to said server eite un- 
. der direction of said particular user. 

28. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system said particular 
subsiiiute identifier to said server site based on al- 
phanumeric codes supplied in web page fields by 
said user. 



wherein each of said electronic mailboxes has a key 
associated therewith, said key being a function of 
said data and an index number 

15. The central proxy system as recited in Claim 1 fur- 
ther comprising a computer-executable routirw 
thai, given said substitute identifiers, collects elec- 
tronic mail destined for said users and contained 
within a plurality of site-specific electronic mailbox- 
es. 

16. The central proxy system as recited in Claim 1 
< wherein said first routine receives session tags add- 
ed to said browsing commands, said central proxy 
system employing said session tags to associate 
said substitute Identifiers with each of said browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
session informatioh specific to said users arKf ac- 
cessible by said server sites. 

16. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic payment information, said users employ- 
ing said electronic payment infornnation to enQage 
in anonyn>ous comnnerce with said server shea. 

19. The central proxy system as recited in Claim 1 fur- 
ther comprising an initializhg routine that con- 
structs said site-specific substitute identifiers from 
data specific to sab users and communicates said 
site-specific substitute identifiers to said first rou- 
tine. 

20. A per^sheral proxy system tor coupling to a network 
and lor allowing at least one user to browse a server 
site on said network anonymously via a central 
proxy syetenn, said peripheral proxy system com- 
prising: 

a computer-executable lirst routine that con- 
structs a particular substitute identifier from da- 
ta received Irom a particular user; and 
a computer-executable second routhe that 
transmits said particular substitute identifier to 
said central proxy system, said central proxy 
system retransmitting said particular substitute 
identifier to said server site arxj therealter re- 
transmitting browsing commands received 
Irom said particular user to said server site. 

21. The peripheral proxy system as recited in Claim 20 
wherein said data comprises Identification data and 
a user definable character string supplied by said 
particular user. 



30 27. The peripheral proxy system as recited in Claim 25 
wherein said alphanumeric codes are arranged in 
escape sequences. 

.28. The peripheral proxy system as recited in Claim 20 
35 wherein said central proxy system further compris- 
es, a computer-executable third routine that re- 
moves portions of said browsing commands that 
would identify said particular user to said senrer 
site 

40 

29. The peripheral proxy system as recited in Claim 2B 
wherein said first and second routines are execut- 
able on a computer system associated with said 
particular user and said central jproxy system is a 

^ computer system fiaving a networtt address differ- 
ent from sa Id computer system associated with sa id 
particular user. 

30. The peripheral proxy system as recited in Claim 20 
wherein said central proxy eyelem further compris- 
es a data store capable of containing electronic mail 
destined for said particular user. 



31, The peripheral proxy system as recited in Claim 20 
55 wherein sab first routine constructs said particular 
substitute identifier by applying pseudo-iandom 
and hash functions to said data received from said 
particular user. 
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32. Thd peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris- 
es a data stoie capable of corttaining an electronic 
mailbox for said particular user and specific to sab 
server Gite. 

33. The peripheral proxy system as recited in Claim 32 
wherein said elactronic mailbox has a key associ- 
ated therewith, said key being a furtction of said da- 
ta and an index number. 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic 
mail destined for said particular uaer and contained 
within at least two electronic mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris- 
es a computer-executable marker iroutine that adds 
session tags to said browsing commands, said 
proxy system enrrploying said session lags to asso- 
ciate said, particular eubstilute identifier with each 
of said browsing comnnands. 

36. The peripheral proxy system as recited in Claim 20 
wherein sakJ central proxy system lurther compris- 
es a data store capable of contiaining session infor- 
mation specific to said particular user and accessi- 
ble by said server site. 

37. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris- 
es a data store capable of containing electronic pay- 
mem information, said particular user employing 
said electronic payment information to engage In. 
anonynK7U5 commerce with said sender site. 

38. A method for use with a network having a server 
site capable of being browsed by users and tor al- 
lowing said users to browse said server site on said 
network anonymously via said proxy system, said 
method compris'mg the steps ot 

constructing a particular substitute identifier 
trom data received from a particular user; 
transmittng said particular substitute identifier 
to said server site; and 

thereafter retranemitling browsing corpmande 
received from said particular user to said server 
site. 

39. The method as recited in Claim 38 wherein said da- 
ta comprises identification data and a user defina- 
ble character string suppfied by said particular user. 

40. The method as recited in Clairin 38 wherein saidpar- 



ticuier substitute identifier conrrprises a particular 
&ut>stilute user rvame and a particular substitute us- 
er password. 

£ 41 . The method as recited in Claim 38 further compris- 
ing the step of constructing a parttcuiar substitute 
electronic mail address for said particular user from 
said data. 

'0 42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con- 
structing said particular substitute identifier from an 
addressof saidserversite. said particular substitute 
identifier therefore behg specif k to sak:! server site. 

IB 

43. The method as recited in Claim 38 wherein said 
server site is a Wor Id Wide Web site capable of pre- 
senting at least one web page to said users, said 
method further comprising the step of transmitting 

20 said partbularsut>stitute identifier to said server site 
und&r direction of saki particular user. 

44. The nr\ethod as recited in Claim 38 wherein said 
step of transmitting comprises the step of Iransrnit- 

^ ting sak) particular substitute klenl ifier to said eeiver 
site based on alphanumerk; codes supplied h web 
page fields by said user. 

45. The method as recited in Claim 44 wherein sakJ ah 
30 phanumeric codes are arranged in escape se* 

quences. 

4$. The method as recited in Claim 38 further compris- 
ing the step of renrwing pontons of saki browsing 
3S commands that would identify saki particular user 
to said seni/er site. 

47. The method as recited in Claim 46 wherein sakl. 
step of constructing is performed on a computer 

^ system associated with said particular user and 
said steps ol transmitting and thereafter Iransmil- 
ting are performed on a computer system having a 
network address different from saki computer sys- 
tern associated vtnih said particular user. 

45 

48. The method as recited in Claim 38 further compris- 
ing the step of storing electronk^ maW desthed for 

said particular user. 

so 49. The metfiod as recited in Claim 38 wherein eaki 
step ol constructing comprises the step of applying 
pseudo-random and hash functions to said data re- 
ceived from saki partk:ular user. 

55 so. The method as recited in Claim 38 funher compris- 
ing the step of creating an electronic maibox for 
said particular user and specifk; to said server site. 
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51. The method as recited in Claim 50 NMherein said 
electronic mailbox hae a key associated therewith, 
said key being a lundkxi of said data and an index 
number. 

s 

52. The method as recited in Claim 38 lurther compris- 
ing the step of colleaing electronic mail destined for 
said particular user and contained within at least 
two electronic maiboxes given sakj particular sub- 
si it uie identifier. \o , 

53. The method as recited in Claim 38 further ccmpris- 
, ing the step of adding session tags to said browsing 

commands, said proxy system employing said ses- 
sion tags to associate said particular substitute 
identifier with each o1 said browsing commands. 

64. The method as recited In Claim 38 further compris- 
ing the step of storing session informatkdn specific 
to said particular user and accessible by said server 20 
site! 

55. The method as recited in Claim 38 lunher compris- 
ing the step of storing electronic payment hforma- 
tion, said psarticular user employing said electronic 
payrrieni information to engage in anonymous com- 
merce with saki server site. 
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Netscape: Janus Useildenltficafon 



Fie EdS Ven Go Bookmarte Opiions Olrecto/y Window 



Help 



0 

M 



•o 

Foiwnl 



Hone 



UnaflesHOpenll Print II Find 



Locafon: 



P 
Step 



Welcome to Janus! 



Janus is a system far personalized anortpous Web access. 

J^us generares consistent untraceable aliases for vou bm the 
infonnaqoD you piotide in Ihb page. Janus neithef stores this 
mfonnaDDD.nor passes it to any scttct. Cwiscquentially, Janus docs . 
not authenocate vou. You must provide tht same infnniation in fiiturt 
sessions to generate the same aliases. 

You Brill sec this form onfy once at the beginning of the session. You 
cannot change the input to Janus during the rest of your session, 
unless Janus detects Uiai it to authenticate ycu. 

The pair <u$er nane, aiia$*$eed> should be unique among allJanus users: You can use your 
E-mail addRss as your name tp reduce chance of coOisiDn With other users. Janus will noi pass 
your name to any senxr. Maximal sise for user name and seeds is lOOD characto^ each. . 

Enter your user nmt (use yog- E-mail addr:ss|: 



Enta your secret must contain at kast 8 diaradersl: 



Veri^ your secret by typing it again: 



L 



(M hoE for more infonnation aboui Janus. 
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FIG. 3 
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Netscape: Registration 



File Edit View Go BookmaAs Options Director Wincw 



f^r^irol I c».Jl^lli;li 6 II M 

iBadtllFywnlilHQmel . iRetHdllmaQKllQpen \\ ftmt P Fud 





o 




stop 



Nelsile: 



IVaBfeNw?l[Mtoin 



te5e]laiii5el 



Ml 



The New York Tribune 



Registration 

Wdaanp to The Kw Yoric Tribune on the Web. If m'rt visi-Jng m 
m the nj3i time please rcgisler nov by filliiiB out the (oto below. 
Ihere is cuirenllv no thigi for U.S. residents to subschbe to our 
site, but ftt are requiriag registration, which is a orje-limc onk 
process. . 

If jcu have alreadj r€g:stered; continue to the horr.e ?. - 1: 
you've rcgislered.iiu\ are having problems entervi' the site, 
consult our he^p section . 

Cboose a Silscriber ID for The Rev Toik Mmne on the 
Web: 



) <OOOD> 



Clioote a passyoid: 



Hinimun five characters 



UiTunuiD five characters 



Ke^Dter passvord for eonTinnatioD! 

ii I 



Eiitetyoqre-nuiladdmK 

|i<QOOO> 



. FIG. 4 
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